Category Archives: Latest News

PetrWrap Ransomware has been detected as a new member of ransomware family that exploits the original module of Petya ransomware. It performs or spread through RaaS platform to targeted attacks against small organizations and companies. The creators of this new ransomware made a special module that completely modifies original Petya ransomware leaving them helpless against the unauthorized use. However, PetrWrap Ransomware needs to hook a couple of Petya’s functions first so that it replaces the instructions that call Petya’s DLLEntryPoint with NOPs. It prevents the Petya from proceeding its own and allows PetrWrap Ransomware to make all necessary preparations and computations before letting it continue.

In the May 2016, Petya ransomware has been discovered by Kaspersky Lab that not only encrypts stored data but also overwrites the hard disk drive’s MBR. According to the malware researchers, PetrWrap Ransomware does not appear to be an official version of Petya ransomware but it wrapped the original version of Petya and then patches its malicious code to execute a series of custom and malicious commands. When your PC is infected with this ransomware, it sends the encryption keys and handles all operations of payment via Petya Raas backend. The wrapping of original Petya binary allowed its creators to modify the ransom note, removing any mentions and flashing red skull of Petya name.

According to the Kaspersky researchers, PetrWrap Ransomware operates in the same way by looking for the unsecured RDP servers, launching the brute-force attacks, compromising the server and using other tools to access inside the organization’s network. Yet, it is unclear how PetrWrap Ransomware is being distributed but after infection, it launches Petya to encrypt it’s victim’s data and then demands a ransom note. The authors of this ransomware uses their own public and private encryption keys instead of those that come with ‘stock’ versions of Petya. Petya generates 16-byte key and uses Salsa20 cipher to encrypt files on local drives.

It uses flawless cryptographic algorithm that is really very hard to break. It is used in targeted attacks and unfortunately it is mots likely. If you really want to protect your organization from attacks of PetrWrap Ransomware then follow these advices :

Use a trusted and well reputed anti-virus tool.

Keep and mange your backup on the regular basis so that you can easily restore your original files.

Conducts a security assessment of the network control to identify and delete any security loopholes.

Pay attention to operational, engineering staff and their awareness of recent attacks and threats.

Request an external intelligence from the reputable vendors to help your organization

Security researchers spotted the cyber offenders using macro malware as a vector in order to spread Neutrino Bot, which is also known as Kasidet, through spear phishing emails. Such email appears to be from a known person or a business. However, it is not. These emails appears from the same con artists who want your credit/debit card information, bank account details and other financial information from your machine. Over the past three weeks, criminal hackers have been using the same VBA (Visual Basic for Applications) macros found in the Microsoft Office that have been used to place the Dridex in order to drop Neutrino Bot as well. According to the researchers, the malicious MS Office documents are usually spread as an attachment by using spear phishing emails.

Once the malicious file attached on spear phishing mails downloaded, researchers observed a particular strain of Neutrino Bot stealing confidential information from the user’s computer via browser hooking and memory scrapping. Besides, the malware which uses macros was found onto the Microsoft Windows Office products, saw its heyday in late 90’s when it was first reported and identified as a Melissa virus. Furthermore, the Microsoft had taken measure security steps, which includes adding a permissions steps for the Office documents users, in order to help curtail the issues. However, a new and improved version of Office documents was spotted last year.

Security analysts have managed to identify a new phishing campaign which is used to spread Ursnif Banking Trojan in order to target various computer users all around the world. Cyber offenders adopted a deceptive technique for the distribution of banking Trojan via spam email campaign which contains a malicious document and mislead the web surfers to download an executable file of Ursnif Trojan. Although, there are two main factors identified by the security researchers that are used for the malware’s distribution. In this distribution channel, spam botnet is used to send malicious emails, and the hacked web servers to host the Trojan. According to the security experts, the spam botnet is focused on distributing the Ursnif Banking Trojan to affect the computers in Japan, Germany, Australia, Spain and Poland.

These days, Gmail is one of the most popular electronic communication media through which we can easily communicate with other people. It does not only help to communicate but also to store document and professional purposes. As we all are very familiar with its features and behavior. But it has some pretty strong spam filters that is one of its strong points. Google manage to keep out most of the spam emails or messages from hitting your inbox, still, it cannot keep out everything especially when it arrives from a spoofed @gmail.com. Continue reading →

It’s Time To Update Older Versions of Chrome or Windows OS?

Google doesn’t generally announce whenever it discontinues the support for an older versions of Chrome browser. However, changing its tradition, the search giant of Mountain View posted that the users of Chrome version 53 and earlier would be rerouted to the primary HTML version of Gmail starting from the month of December 2017. Most often, the users do not care which version of Google Chrome they’re using. Although, the silent update mechanism ensures that most of the Chrome users are always on the latest version that are available for the browser. Instead, there can be various reasons why some users cannot upgrade their browser. Among all of them, the older OS version being one of the most probable reason for that.

VirLocker Ransomware is in no way new and the threat has been making a mess of victims’ computers for quite a few years now. This ransomware was the very first example of popular polymorphic ransomware virus and it left no expense of misery onto its victimized users. Of course, it can be propagated just like any other cyber infections distributed by their developers. Although, this malware has a trick up its sleeve whenever it comes to infecting other system users. Just because every files stored onto the infected machine that VirLocker Ransomware encrypts becomes VirLocker threat itself. So, many affected machine users will accidentally send infected version of a file to their friends and colleagues. Even more, the backup copies become infected and even installed applications and ‘exe’ files are not safe.

Most important, when getting infected with VirLocker Ransomware, users can no longer trust a single file stored on their affected PCs. This brings an issue while attempting to clean up the system, because nothing can be trusted at all and every install apps that you use is become dirty. Even attempting to download and install a security tool to help you can prove the problem, because the ransomware will attempt to infect each and every new file before it gets opened if the malware is running onto the machine. In case, if you find yourself infected with the new variant of this nasty computer threat, then do not attempt to eliminate it yet! In this security article, you will not only get the brief description on this ransomware, but also get the detailed information on how to restore files encoded by VirLocker Ransomware.

First there was a Black Screen of Death, where a Windows 3.x system would displays a screen with white text onto the black background when it crashed. Then after, around a time of Windows NT, the Microsoft switched to a Blue Screen of Death error, where the displayed screen of crashed PC contains a white text on a blue background. These errors block the screens that have been an important part of the Windows culture since forever. Now, the Microsoft is ready to take yet another measure step in its transition from old to new. Although, it seems that the newest and an unofficial Windows insider preview version of Win 10 is using a new GSOD (Green Screen of Death), according to MSPU reports.

Spora Ransomware is an advanced encryption virus which shows that ransom developers performing attacks professionally. It includes an extensive ransom notification which support for multiple languages, free decryption of two files, double encryption and a victim-friendly payment website. Spora comes from the Russian word ‘Spore’, which relies on bogus invoice emails for its distribution. These emails bear ZIP files which contains HTA (HTML Application) files as an attachment.

However, users might not realize it. This is just because the HTA files uses double extensions such as ‘DOC.HTA’ and ‘PDF.HTA’, which means that users might only notice the first extension. Clicking on those HTA files launches Spora Ransomware. According to the malware researchers, when a user runs HTA files, then it will extract a malicious JavaScript file named ‘close.js’ onto the %Temp% folder, which then extract an executable file onto the same folder and executes it. The executable generally uses a random generated name. This executable file is the main encryptor and will begin to encode the files and data stored on the infected system.

A new Linux variant of KillDisk Ransomware has been discovered by researchers, including potential of posing huge harm to the entire computer system. According to security experts, this infection itself is a new addition to the KillDisk disk wiper malware family which was previously only utilized to ruin companies via randomly deleting data and altering files. The Linux variant of KillDisk Ransomware was firstly discovered by ESET, just a week after researchers from CyberX detected the foremost KillDisk versions including ransomware features.

According to CyberX’s researchers, it’s first version was compatible only with the Windows OS. Now though being a member of the perilous ransomware infection, KillDisk Ransomware also encrypts thesystem’s crucial files after getting complete perforation inside it but researchers has reported it’s working algorithm completely distinct from each other on Windows and Linux versions of OS respectively. According to researches, KillDisk Ransomware do not save the encryption key anywhere on the disk or online on Linux OS.

Cerber ransomware is yet again in news and this time for a specific reason. The newly identified and the recent versions of this ransomware behaves somewhat different from the previous one. The biggest change in the recently detected version of Cerber Ransomware is that it does not delete the shadow volume copies, instead, it is targeting and prioritizing specific folders only. This change has been spotted only in the recent version but it does not mean that shadow volume won’t be targeted in the future version. This discovery mainly comes via the Microsoft Malware Protection Center along with the Heimdal Security.